October 2020

On September 7, 2020, the German data protection supervisory authority for Baden-Wuerttemberg (“DPA-BW”) released new guidelines following the Schrems II judgment on how companies should transfer data to third countries. For a more in-depth summary of the CJEU’s Schrems II decision, please see our previous blog post here and our audiocast episode here.
Continue Reading New Guidelines for Companies from German Supervisory Authority (DPA-BW) following Schrems II

Last week, the Federal Communications Commission (FCC) issued a notice of proposed rulemaking (NPRM) seeking comment on a proposal to review and potentially revise a number of existing exemptions that the FCC has adopted with respect to certain Telephone Consumer Protection Act (TCPA) requirements.  The FCC’s review could end up narrowing or eliminating some of these longstanding exemptions, imposing consent requirements or other obligations that today are not required for certain kinds of calls and texts.
Continue Reading FCC Reevaluating Certain TCPA Compliance Exemptions

Consistent with the U.S. Department of the Treasury’s ongoing focus on cyber-enabled financial crime, on October 1, 2020, two components of the Treasury Department’s Office of Terrorism and Financial Intelligence issued guidance on ransomware-related payments.  One, an advisory issued by the Office of Foreign Assets Control (“OFAC”), describes the significant U.S. sanctions risks of facilitating ransomware payments, and expresses a strong policy preference against doing so.  The second, an advisory issued by the Financial Crimes Enforcement Network (“FinCEN”), alerts financial institutions to trends and indicators of ransomware-related money laundering.  Both underscore the difficult decisions faced by ransomware victims and third parties who assist them as they seek to navigate the loss of access to key data on the one hand, and increasingly significant regulatory risks that making a ransomware payment could entail on the other.
Continue Reading Coordinated OFAC and FinCEN Guidance on Ransomware Attacks Underscores the Regulatory Risk and Complexity of Paying a Ransom

In this edition of our regular roundup on legislative initiatives related to artificial intelligence (AI), cybersecurity, the Internet of Things (IoT), and connected and autonomous vehicles (CAVs), we focus on key developments in the European Union (EU).
Continue Reading AI, IoT, and CAV Legislative Update: EU Spotlight (Third Quarter 2020)

On October 1, 2020, the French Supervisory Authority (“CNIL”) published the final version of its Guidelines on cookies and other tracking technologies (hereafter, “guidelines” – see announcement here, and guidelines here, in French), as well as an adjoining set of best practice recommendations (in French) with examples on how to implement the guidelines.  In this blog post, we summarize the key points mentioned in the CNIL’s guidelines.
Continue Reading French Supervisory Authority Publishes Final Version of Cookie Guidelines, Says It Will Start Enforcing Them in April 2021

On October 1, 2020, the Hamburg Data Protection Authority (“Hamburg DPA”) fined H&M, the Swedish clothing company, over €35 million for illegally surveilling employees at its service center in Nuremberg.  This fine is the largest financial penalty issued by a German DPA to date for a violation of the European General Data Protection Regulation (“GDPR”), and the second highest in Europe issued by any DPA (although other DPAs have announced their intention to issue other larger fines).
Continue Reading H&M Receives Record-Breaking Fine for Employee Surveillance in Violation of the GDPR